openfire -- Openfire No Password Changes Security Bypass

Details

VuXML ID

e3e30d99-58a8-4a3f-8059-a8b7cd59b881

Discovery

2009-05-04

Entry

2009-05-04

Modified

2010-05-02

Secunia reports:

A vulnerability has been reported in Openfire which can
be exploited by malicious users to bypass certain security
restrictions. The vulnerability is caused due to Openfire
not properly respecting the no password changes setting which
can be exploited to change passwords by sending jabber:iq:auth
passwd_change requests to the server.